px_proxy_factory_copy doesn't increment refcount of the underlying proxy manager #280
Comments
smcv
added a commit
to smcv/libproxy
that referenced
this issue
Feb 27, 2024
The second argument to g_boxed_copy() is meant to be a pointer to the boxed instance itself, not a pointer to a pointer to the boxed instance. For example, `g_boxed_copy (G_TYPE_STRV, environ)` is correct (equivalent to g_strdupv() in this case), but `g_boxed_copy (G_TYPE_STRV, &environ)` would be incorrect. The same principle applies here. The test passed despite this because self->pf and &self->pf happen to both be pointer-sized, and as a result of libproxy#280, the data that is pointed to was copied byte-by-byte but not otherwise used; but this will no longer be true when libproxy#280 is fixed, so the test needs fixing first. Signed-off-by: Simon McVittie <smcv@debian.org>
smcv
added a commit
to smcv/libproxy
that referenced
this issue
Feb 27, 2024
Otherwise there is no guarantee that the object will continue to exist after the original factory is destroyed, and both the copy and the original factory will try to unref it when destroyed, which is a programming error. Resolves: libproxy#280 Signed-off-by: Simon McVittie <smcv@debian.org>
smcv
added a commit
to smcv/libproxy
that referenced
this issue
Feb 27, 2024
Previously the copy was never freed, which hid the bugs fixed by the previous commits. Reproduces: libproxy#280 Signed-off-by: Simon McVittie <smcv@debian.org>
smcv
changed the title
smcv
changed the title
janbrummer
pushed a commit
that referenced
this issue
Apr 2, 2024
The second argument to g_boxed_copy() is meant to be a pointer to the boxed instance itself, not a pointer to a pointer to the boxed instance. For example, `g_boxed_copy (G_TYPE_STRV, environ)` is correct (equivalent to g_strdupv() in this case), but `g_boxed_copy (G_TYPE_STRV, &environ)` would be incorrect. The same principle applies here. The test passed despite this because self->pf and &self->pf happen to both be pointer-sized, and as a result of #280, the data that is pointed to was copied byte-by-byte but not otherwise used; but this will no longer be true when #280 is fixed, so the test needs fixing first. Signed-off-by: Simon McVittie <smcv@debian.org>
janbrummer
pushed a commit
that referenced
this issue
Apr 2, 2024
Otherwise there is no guarantee that the object will continue to exist after the original factory is destroyed, and both the copy and the original factory will try to unref it when destroyed, which is a programming error. Resolves: #280 Signed-off-by: Simon McVittie <smcv@debian.org>
janbrummer
pushed a commit
that referenced
this issue
Apr 2, 2024
Previously the copy was never freed, which hid the bugs fixed by the previous commits. Reproduces: #280 Signed-off-by: Simon McVittie <smcv@debian.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
To reproduce:
Expected result: no runtime errors
Actual result: Whichever proxy factory is freed first is freed successfully, destroying the underlying proxy manager. Now the other proxy factory has a dangling pointer to a freed proxy manager. When the second proxy factory is freed, GLib will make an attempt to throw a critical warning:
but this is undefined behaviour, so it might equally well just crash.
The text was updated successfully, but these errors were encountered: